First of all, change your password in your customer zone. Any questions? You will find the answer below.
How does JIM Mobile find out that this password has been leaked?
Large-scale leaks of usernames and passwords from large or well-known websites are unfortunately a regular occurrence. Examples are the leaks from Dropbox in May 2012 or LinkedIn in May 2016. Each time the details of such a leak are made public, the people operating the Have I Been Pwned service add this data to their database. This enables the service to let you check whether your username or password were ever part of such a leak. You can easily check this yourself for your email address(es) and passwords. At JIM Mobile, we like to be proactive, so we check the passwords and notify the concerned person whenever necessary.
Has my password been shared with other services?
To ensure that leaked passwords are not used on our site, we check your password against Have I Been Pwned every time you log in to our site (or create an account or change your password). Don't worry, we never send your password itself. Instead, we will calculate a hash of your password. For example, the hash of the password "test123" is 7288EDD0FC3FFCBE93A0CF06E3568E28521687BC. It is important to note that hashing is a one-way street. In other words, it is not possible to go back to "test123" from 7288EDD0FC3FFCBE93A0CF06E3568E28521687BC.
What we do is send the first 5 characters of that hash, 7288E in this case, to Have I Been Pwned. Have I Been Pwned will then search their database for all hashed passwords that start with 7288E. They send us the last 35 characters from the hashed passwords found. If the last 35 characters of your hashed password (DD0FC3FFCBE93A0CF06E3568E28521687BC from our example) are in that list, it means that your password has been leaked at some point. In short therefore, we hash your password, we send a very short piece of that hash, and we get back a list of end pieces of hashes. Neither we nor Have I Been Pwned ever send a password itself or a full hash of a password to each other.
What are the risks if I don't change my password?
There are many people who reuse the same combination of email address and password on different websites. This is something that people with bad intentions also know. Thus if they manage to access the list of usernames and passwords that were leaked from Dropbox in 2012, they will try to use it to log in to a large number of other websites. They do this on an automatic basis using scripts or tools with which they can try thousands of combinations per second.
If you had an account with Dropbox in 2012, and you now use the same username and password with JIM Mobile that you had with Dropbox back then, there is a chance that someone could use this list of leaked data to log into your JIM Mobile account. Therefore, it is important that you use a unique password for each website or service. This ensures that people who get hold of your data from website A can only use it to log in to website A, and not to websites B, C or D.